Brian Krebs of Krebs on Security just posted an article on RDP hacks that exploit weak or default login credentials, and goes on to describe how that provides the basis for a cybercrime business. His article explains that Makost[dot]net rents access to more than 6000 poorly configured and, therefore, compromised Remote Desktop Protocol (RDP)-enabled servers around the globe. As Krebs says, “…the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password.” It’s a classic brute-force attack and it’s aimed directly at an extremely weak target.
Many people on first
reading this would consider this capability a “vulnerability” of Windows, but
that’s like saying that an automated teller machine (ATM) has a “vulnerability”
that allows you to get cash from your bank account. It’s a feature of the
operating system and Windows is not alone in exposing functionality like it.
The interesting aspect of
this RDP hack phenomenon is that it’s a purely access-based threat: no malware,
no exploit involved. At its heart, this cyber-criminal operation is based on a
list of compromised accounts for specific machines on specific networks. No
malware detection system could identify these threats because they used valid login credentials.
This is the perfect
example of what I mean when I say that the bad guys are working together productively
and the good guys aren’t yet. Makost[dot]net is just one of many black-market
information brokerages selling access to these exploits to anyone with the
cash. Any attacker can start from zero, swipe a credit card, and immediately punch
a hole right through your perimeter.
As an aside, one place for
the good guys to start working together would be to create a system to notify
the owners of these systems that they’ve been compromised, because as long as
they remain unaware, the attackers still have an open door into their networks.
And the attackers may be able to use these machines as springboards for
attacking other organizations.
What alerting systems can never identify, anomaly-based approaches can
If your organization regularly uses RDP for any legitimate
purpose, it’s going to be nearly impossible to identify which accesses are
valid and which are attacks because they all use those same valid
credentials—unless you regularly create and update baselines of normal behavior
for those RDP-enabled endpoints. There is nothing for any security tool to
detect in this scenario except
deviations from baselines.
This threat is particularly dangerous in a world where
virtual machines (VMs) are increasingly common, often cloned from each other en
masse. Nearly all VMs enable remote desktop access and users creating them
often assume–incorrectly– that they’ll
be running in “secure” environments.
Krebs suggests running a quick external port scan of your
organization’s internet address ranges to find out whether any RDP-equipped
systems are enabled, then points to this University of
California at Berkeley document for additional tips on locking down RDP
installations. This is a good start, but I would add that you need the ability
right now—today—to do these three things:
#1 - Establish visibility to your endpoints.
#2 - Start running baselines of normal behavior on and between those endpoints.
#3 - Set up a way to begin receiving regular alerts on anomalous behavior relative to those baselines.
#1 - Establish visibility to your endpoints.
#2 - Start running baselines of normal behavior on and between those endpoints.
#3 - Set up a way to begin receiving regular alerts on anomalous behavior relative to those baselines.
EnCase®
Analytics can help with all three. In the meantime, sites like Makost just
illustrate how important it is for the good guys to start working together as
productively as the bad guys have been.
Have suggestions? War stories? I welcome discussion in the comments section below.
Have suggestions? War stories? I welcome discussion in the comments section below.
No comments :
Post a Comment